Auto-renew Letsencrypt is almost mandatory after setting up the letsencrypt with nginx, I am using the default location of the certifications. /usr/local/etc/letsencrypt/live
Letsencrypt certificates can be used for other things than just a webserver. I use it for my mail server also, and my owncloud instance.
Every server is in its own jail on my FreeBSD server. And I plan to just make the script copy every certificate to all my jails.
Letsencrypt certificates has only a 3 month life-time. Which is okey when not paying a dime for it. At first I thought, well I can manually manage that. But now that my number of servers has grown that I have to manage, I really need the renewal to be automated.
I looked at the internet to see if anyone had done the work before, but I did not find anything that meet my demand, only close. So I took that and rewrote it for my needs. I like to share that for others, either to use it as it is, or to have it for inspiration for their own use-case. The “Auto-renew Letsencrypt” script can be found at my github page: https://github.com/kulmosen
Disclaimer: Use the code as is. This solved my use-case, but yours might vary.
Auto-renew Letsencrypt script
#!/bin/sh # Copyright (c) 2015 Marie Helene Kvello-Aune (marieheleneka at gmail dot com; http://savagedlight.me) # Copyright (c) 2016 Dennis Juhler Aagaard (dennis at kulmosen dot dk; http://kulmosen.dk) # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. # # This script will check if the specified certificate will # expire in 14d or less and if so, instruct let's encrypt to renew it. # It will also reload the configured webserver if certificate is renewed. # # Start of configuration # # Change to reflect your correct email addresses. TOEMAIL="firstname.lastname@example.org" FROMEMAIL="root@FQDN" # Location of certificates. If other than default please change path. DIR="/usr/local/etc/letsencrypt/live" # Probably don't need to edit below here LETSENCRYPTSERVER='https://acme-v01.api.letsencrypt.org/directory' OPENSSL="/usr/bin/openssl" LETSENCRYPT="/usr/local/bin/letsencrypt" # Manage the nginx service to free up port 80. STARTWEBSERVER="/usr/sbin/service nginx start" STOPWEBSERVER="/usr/sbin/service nginx stop" STATUSWEBSERVER="/usr/sbin/service nginx status" # # End of configuration. # # # !!! DO NOT EDIT BELOW HERE !!! # cd $DIR # My Letsencrypt tend to put a log file in here. Clear that log file before running the script if [ -f "$DIR"/letsencrypt.log ] then rm -f "$DIR"/letsencrypt.log fi # Read the list of all domains in $DIR for domain in * do if $OPENSSL x509 -checkend 1209600 -noout -in "$DIR"/"$domain"/fullchain.pem then SUBJECT=""$domain" certificate still valid!" echo "The domain certificate for "$domain" is good for more than 14 days!" | mail -s "$SUBJECT" "$TOEMAIL" -r "$FROMEMAIL" exit else if $STATUSWEBSERVER then $STOPWEBSERVER fi $LETSENCRYPT certonly --renew --server $LETSENCRYPTSERVER -d $domain echo "Certificate is renewed. Retesting" if $OPENSSL x509 -checkend 1209600 -noout -in "$DIR"/"$domain"/fullchain.pem then SUBJECT=""$domain" certificate renewed!" echo "Certificate for "$domain" has been renewed and will be valid for the next 3 months." | mail -s "$SUBJECT" "$TOEMAIL" -r "$FROMEMAIL" else SUBJECT=""$domain" certificate renewal failed!" echo "Certificate failed to renew. Check logs to troubleshoot." | mail -s "$SUBJECT" "$TOEMAIL" -r "$FROMEMAIL" fi fi done # Starting webserver... if $STATUSWEBSERVER > /dev/null then exit else $STARTWEBSERVER fi exit
Update: “fixed typo in the script. WordPress do not handle > and < particular well.”